Skip to content

autobump-security-config #218

autobump-security-config

autobump-security-config #218

name: autobump-security-config
on:
schedule:
- cron: 0 8 * * *
push:
branches:
- main
paths:
- '**/*.md'
- '**/*.yml'
- '**/*.yaml'
- '**/*.tf'
- '**/*.tfvars'
env:
AUTOBUMP_CONFIG_PATH: configs/autobump-config/test-infra-sec-config-autobump-config.yaml
SEC_SCANNERS_CONFIG_PATH: sec-scanners-config.yaml
TERRAFORM_CONFIGS_DIR: configs/terraform
jobs:
autobump:
runs-on: ubuntu-latest
permissions:
id-token: write # This is required for requesting the JWT token
contents: read # This is required for actions/checkout
concurrency:
# Prevent merge conflicts on pushing to fork repo between different runs.
# Image detector will update already existing PR with new changes, to keep clean history it's preferd to do it one by one.
group: post-test-infra-image-detector-autobump
cancel-in-progress: false
steps:
- uses: actions/checkout@v4
# Setup git config with commiter data from config
# Prevent silent passing github token
# see https://stackoverflow.com/a/69979203/23148781
- name: Setup git config
run: |
GIT_USERNAME=$(grep "gitName" ${{ env.AUTOBUMP_CONFIG_PATH }} | cut -d '"' -f 2)
GIT_EMAIL=$(grep "gitEmail" ${{ env.AUTOBUMP_CONFIG_PATH }} | cut -d '"' -f 2)
git config user.name $GIT_USERNAME
git config user.email $GIT_EMAIL
git config --unset-all http.https://github.com/.extraheader
- name: Authenticate in GCP
id: 'auth'
uses: 'google-github-actions/auth@v2'
with:
project_id: ${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}
workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}
- name: Get kyma bot token from Secret Manager
id: 'secrets'
uses: 'google-github-actions/get-secretmanager-secrets@v2'
with:
secrets: |-
kyma-autobump-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.KYMA_AUTOBUMP_BOT_GITHUB_SECRET_NAME }}
- name: Store Github Token for autobumper
run: |
echo ${{ steps.secrets.outputs.kyma-autobump-token }} > ~/token
- name: Find images to scan
run: |
docker run \
-v ~/token:/etc/github/token:ro \
-v ${{ github.workspace }}:/github/workspace \
--workdir /github/workspace \
--rm \
--privileged \
--cap-drop ALL \
europe-docker.pkg.dev/kyma-project/prod/image-detector:v20241219-999037df \
--terraform-dir=${{ env.TERRAFORM_CONFIGS_DIR }} \
--sec-scanner-config=${{ env.SEC_SCANNERS_CONFIG_PATH }} \
--autobump-config=${{ env.AUTOBUMP_CONFIG_PATH }}